admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#831

Browse Source 
Auto-merge PR#831
This commit is contained in:
CVE Team 2021-02-11 16:40:21 -05:00 committed by GitHub
commit fc42c1bc94
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2021/21xxx/CVE-2021-21310.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21310",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Token verification bug in next-auth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "< 3.3.0"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability.\n\nImplementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted.\n\nThe Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token.\nThis made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider.\nThis issue is specific to the community supported Prisma adapter.\n\nThis issue is fixed in version 3.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"name": "https://www.npmjs.com/package/next-auth",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/next-auth"
},
{
"name": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
}
]
},
"source": {
"advisory": "GHSA-pg53-56cg-4m8q",
"discovery": "UNKNOWN"
}
}